Described is a technology in which a non-administrator computer/web user is allowed to perform an administrative-level task within a certain context and/or scope. An authorization store is queried based on information (e.g., a provider, a username, and a path) provided with an authorization request, e.g., from an application via an API. The information in the authorization store, set up by an administrator, determines the administrative action is allowed. If so, a credential store provides credentials that allow the action to be runs before reverting the user to the prior set of credentials. Also described is a pluggable provider model through which the authorization store and/or delegation store are accessed, whereby the data maintained therein can be any format and/or at any location known to the associated provider.
Legal claims defining the scope of protection, as filed with the USPTO.
1. In a computing environment, a method comprising: receiving a request to authorize a non-administrative user to perform an administrative action; accessing an authorization store, which is configured with information that corresponds to users and specified actions associated with those users, for determining whether the non-administrative user is allowed to perform the administrative action, wherein the authorization store provides a userscope variable that specifies a path for the non-administrative user, and wherein the path specified is automatically substituted for the non-administrative user based on a user login of the non-administrative user; in response to a determination that the non-administrative user is allowed to perform the administrative action, providing credentials that allow the non-administrative user to perform the administrative action using impersonation, wherein the credentials are specified for at least one of running the action as a process, running the action as a current user, or running the action as a specific user; running the administrative action; and upon completion of the administrative action, returning the non-administrative user to a set of credentials that were associated with that non-administrative user prior to running the administrative action.
2. The method of claim 1 wherein providing the credentials comprises accessing a delegation store.
3. The method of claim 1 wherein the authorization store provides a userscope variable that infers information already known about a user from a user login.
4. The method of claim 1 wherein accessing the authorization store comprises communicating through a provider associated with that authorization store.
5. The method of claim 4 wherein the request identifies the provider, a username, and a path.
6. The method of claim 4 wherein receiving the request comprises handling an API call.
7. The method of claim 1 wherein determining whether the non-administrative user is allowed to perform the administrative action comprises: evaluating whether all users are denied; in response to a determination that all users are not denied, evaluating whether the non-administrative user is denied; in response to a determination that the non-administrative user is not denied, evaluating whether the non-administrative user is allowed; in response to a determination that the non-administrative user is not allowed, evaluating whether a role associated with the non-administrative user is denied; in response to a determination that the role associated with the non-administrative user is not denied, evaluating whether the role associated with the non-administrative user is allowed; in response to a determination that the role associated with the non-administrative user is not allowed, evaluating whether all users are allowed.
8. The method of claim 1 further comprising: defining an authorization scope for authorizing the user based on a regular expression, a database connection string or a file system path.
9. In a computing environment, a system comprising: a rules engine configured to receive a request to authorize a non-administrative user to perform an administrative action; an authorization store stored in memory coupled to the rules engine and configured to provide information that corresponds to users and specified actions associated with those users, the information including a userscope variable that specifies a path for the non-administrative user, the rules engine configured to automatically substitute the path specified for the non-administrative user based on a user login of the non-administrative user, the rules engine configured to determine whether the non-administrative user is allowed to perform the administrative action, and in response to a determination that the non-administrative user is allowed to perform the administrative action, the rules engine configured to obtain credentials from a credential store to enable the non-administrative user to perform the administrative action, wherein the credentials are specified for at least one of running the action as a process, running the action as a current user, or running the action as a specific user.
10. The system of claim 9 wherein the rule engine is coupled to the authorization store and the delegation store via a provider.
11. The system of claim 9 wherein the provider comprises a pluggable provider that is associated with the authorization and delegation stores.
12. The system of claim 9 wherein the delegation store provides credentials for running the action as a process, running the action as a current user, or running the action as a specific user.
13. The system of claim 9 wherein rule engine receives the request from an application via an API call.
14. The system of claim 9 further comprising an internet information service, wherein at least some user-related information is identified based upon a prior login to the internet information service.
15. The system of claim 9 wherein the credential store securely stores credentials using encryption.
16. One or more computer-readable storage devices storing computer-executable instructions, which in response to execution by a computer, cause the computer to perform steps, comprising: receiving a request to authorize a non-administrative user to perform an administrative action, the request including a provider, a username, and a path; using the provider to access an authorization store; determining from information in the authorization store and from the request whether the non-administrative user is allowed to perform the administrative action, including identifying a userscope variable that specifies a path for the non-administrative user and automatically substituting the path specified for the non-administrative user based on a user login of the non-administrative user; in response to a determination that the non-administrative user is allowed to perform the administrative action, obtaining credentials that allow the non-administrative user to perform the administrative action, wherein the credentials are specified for at least one of running the action as a process, running the action as a current user, or running the action as a specific user; running the administrative action; and returning the non-administrative user to a set of credentials that were associated with that non-administrative user prior to running the administrative action.
17. The one or more computer-readable storage devices of claim 16 wherein obtaining the credentials comprises accessing a delegation store that provides the credentials.
18. The one or more computer-readable storage devices of claim 16 wherein receiving the request comprises handling an API call.
19. The one or more computer-readable storage devices of claim 16 wherein determining whether the non-administrative user is allowed to perform the administrative action comprises matching provider, action and path information.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
January 16, 2009
March 4, 2014
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.